All security models call for a threat model; it is one of the key inputs or factors in the construction of the security model. Secure browsing - SSL / HTTPS - lacked this critical analysis, and recent work over on the Mozilla Browser Project is calling for the rectification of this. Here's my attempt at a threat mode for secure browsing, in draft.
Comments welcome. One thing - I've not found any doco on how a threat model is written out, so I'm in the dark a bit. But, ignorance is no excuse for not trying...
As a piece of cross-fertilisation from OpenPGP's fingerprint-based verification, Mister Lee has written a plugin called SSLBar that displays the fingerprint of a website certificate. I stumbled on this a while back, but didn't have a Mozilla browser. Now I have, and I've plugged it in!
After a few moment's thought as to who uses an SSL certificate (!) I went off to Verisign, and hey presto, their certificate has this fingerprint: 0f:a5:b0:52:7b:a9:8f:c6:62:76:ca:16:6b:a2:2e:44:a7:36:36:c9
One bug - I couldn't cut&paste the fingerprint, and had to type it in by hand.
Here's CACert's fingerprint: f6:20:2a:8d:ef:a4:e6:39:5d:b4:c5:fa:54:38:d6:04:6f:a0:74:e9
I'd encourage y'all to download and install the SSLBar, and check that these fingerprints are correct.
As the certs of CAs are by definition self-signed, then, according to their own doctrine, we need some trusted third party to check they are valid. We could wait until they start cross-signing, or we could just start a web of trust for them!
(As an aside, here is CACert's root certificate: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33 ... I managed to cut&paste that one from the website, after confirming it by eyeball.)
Now, it occurs to me that if we send enough copies of these cert fingerprints around, in the various posts to various lists, then one could use google to clarify the correct cert for each site. This is a trick I learnt from the gold community - it seems that banks don't know their ABA and SWIFT numbers, but their customers do, and google will tell you.
If, for example, Mozilla (SSLBar) were to take further the notion that customers know more, then it could automatically google for the www.verisign.com and then count up the number of occurrences of the fingerprint. This would give a confidence level as to the validity of the cert.
Hey presto, GoogleCA!
This Slate article "Can They Hear You Now?" details how a Kazaa-style VoIP operator called Skype has emerged.
What type of encryption is used?
Skype uses AES (Advanced Encryption Standard) - also known as Rijndel - which is also used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are certified by Skype server at login.
(It's worth reading the entire article... click on!!!)
Can They Hear You Now?
How the FBI eavesdrops on Internet phone calls (and why it sometimes can't).
By David S. Bennahum
Posted Thursday, Feb. 19, 2004, at 2:49 PM PT
The Federal Communications Committee and the Justice Department are at loggerheads over a new problem in the war on terror: how to listen in on Internet phone calls. Thanks to the blistering growth of VoIP?Voice over Internet Protocol?services, which have been adopted by approximately 10 million people worldwide so far, law enforcement officials now worry that wiretapping may one day become technically obsolete. If traditional phone lines go the way of the horse and carriage, will the FBI still be able to listen in on Internet phone calls? How would it go about tapping one? Is it even possible?
I contacted three of the leading VoIP providers in the United States?Time Warner Cable, Vonage, and Skype?to ask them how they would comply with a court order to permit a wiretap. As it turns out, the Justice Department has good reason to worry. Depending on the provider, tapping a VoIP call can be either tricky or impossible.
For Jeffrey Citron, the CEO of Vonage, the critical problem is this: The 1994 law that dictates how telecoms must cooperate with the feds (it's known as CALEA) stipulates that government agents can listen in on phone calls only in real time. They are not permitted to record calls and play them back later to check for incriminating information. But as Citron explained it, on Vonage's system, it is technically impossible (for now) to listen in on a live phone call.
Here's why: A VoIP call transforms your voice into digital bits, then segments them into separate packets of data that are routed through the Internet and reassembled upon arrival at the other end. From an old-fashioned perspective, there is no actual "sound" passing through the Internet at any time?the PC or other device you use to place the VoIP call digitizes your voice in your home. Of course, a huge amount of regular phone traffic is also segmented into digital packets at some point, but such calls are digitized and then reconverted into sound waves far deeper into the telephone system, at points outside private homes. Law enforcement can therefore listen in on your line within the telephone system itself; the technology to do this is already embedded in the phone company's switches.
In theory, Vonage could comply with a tap request by making a copy of the call in real time and streaming that call to a law enforcement agent. But that tack would violate CALEA, since Vonage would still be making a copy of the original call. The alternative, Citron says, is for Vonage to modify its VoIP system so that its digital routers include analog-friendly wires capable of producing a real-time sound wave. These could then be linked to a law enforcement agency, permitting simultaneous listening-in. Citron says making the shift would cost Vonage a few million dollars?before taking any action, he's awaiting further regulatory instructions from the FCC. The company has already complied with between 10 and 100 requests from various government agencies for general information (including call records and billing history), but to date, he has yet to receive a single request for a live tap into a Vonage call.
Time Warner Cable, which has announced that it will make VoIP available to all its digital cable markets by the end of the year, would have a much easier time wiretapping live phone calls. That's because Time Warner owns the underlying infrastructure its VoIP service relies on. So while Vonage could offer government agents access only to the handful of routers it uses to direct its calls over the wider Internet, Time Warner can offer them direct access to the cables, routers, and switches over which its VoIP calls travel. It could, in theory, open a live channel for law enforcement at the place where Time Warner's cable modem signals are routed onto the wider, public Internet. This switch, known as the Cable Modem Termination System, is a natural junction where a company like Cisco, which already builds CMTS hardware, could easily and cheaply add in CALEA-compliant technology.
Why, then, couldn't the feds tap any VoIP call by listening in on the line at the CMTS? Because some VoIP calls are routed, digitized, or encrypted in ways that law enforcement can't decipher. Skype, which now boasts 7 million users, specializes in such encryption. The company's system is designed to thwart potential eavesdroppers, legal and otherwise. The difference begins with how the networks are designed: Both Time Warner and Vonage offer VoIP services that run through centralized networks. For instance, when I place a call through Vonage, it starts by going to a centralized Vonage computer, which in turn looks up the phone number I am dialing and routes the call over to the traditional phone system. This is a classic instance of a "hub and spoke" network. But Skype, built by the same people who brought us Kazaa, is a totally distributed peer-to-peer network, with no centralized routing computers. (That's possible in part because Skype calls can only be sent and received by computers?you can't call a friend with an analog phone.) As a result, the company's network looks more like a tangled spider web, and the packets that make up your voice in a Skype call are sent through myriad routes to their destination. Part of the brilliance of the Skype software is that it has learned to use desktop PCs as "supernodes," each sharing some of the load needed to route Skype calls quickly to their destination. From the caller's perspective, this is all invisible: The call just works.
Since it's exceedingly difficult to follow the path that a Skype call makes through the network, law enforcement agents would be hard-pressed to figure out where to place a tap. But even if they could, the company has built in such strong encryption that it's all but mathematically impossible with today's best computer technology to decode the scrambled bits into a conversation. Here's how Skype explained it: "Skype uses AES (Advanced Encryption Standard)?also known as Rijndel?which is also used by U.S. government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message." The point of all this mumbo-jumbo is that Skype uses an encryption algorithm* known as 256-bit AES. The National Institute of Science and Technology states that it would take a computer using present-day technology "approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key." And that's for the 128-bit version; Skype uses the more "secure" 256-bit standard. Since computers have a way of quickly getting more powerful, the institute forecasts that "AES has the potential to remain secure well beyond twenty years."
Moreover, Skype says, the company does not keep the encryption "keys" that are used to encode each Skype transmission?each one is generated and then discarded by the computer that initiates the call. So government agents couldn't force Skype to turn over the keys needed to decrypt a call either.
Last Thursday the FCC held an open hearing on the future of VoIP telecommunications. In a 4-1 decision, FCC commissioners, supported by Chairman Michael Powell, voted that a VoIP provider called Free World Dialup should not be subject to the same regulations as traditional phone companies?including the particulars of CALEA compliance. Instead, the FCC decided to put off the issue, stating that it would initiate a proceeding "to address the technical issues associated with law-enforcement access to Internet-enabled service" and "identify the wiretapping capabilities required." One commissioner, Michael J. Copps strongly dissented, calling the postponement "reckless."
But even if the FCC had ruled differently on Thursday, mandating specific rules for Internet phone calls and CALEA compliance, it couldn't have been the definitive word on the subject.
VoIP technology is gaining ground so fast that it may be impossible for any government agency to dictate what these networks should look like. Skype, for instance, isn't even an American company. It's legally based in Luxembourg. Increased regulation on American carriers, which could lead to higher costs for consumers, is likely to push people further toward carriers like Skype, rewarding companies that seek permissive legal jurisdictions and punishing those that try to comply with domestic regulations. It's this scenario that the Justice Department legitimately fears: Even though the Patriot Act has increased its ability to eavesdrop on Americans, companies like Skype are giving everyday people unprecedented freedom from government monitoring.
Correction, Feb. 20, 2004: This piece originally stated that Skype uses an encryption algorithm built by RSA known as 256-bit AES. In fact, RSA did not build this algorithm. (Return to corrected sentence.)
David S. Bennahum is a contributing writer with Wired and the author of Extra Life: Coming of Age in Cyberspace.
Illustration by Mark Alan Stamaty
"London, UK - 19 February 2004, 17:30 GMT - A study by the mi2g Intelligence Unit reveals that the world's safest and most secure online server Operating System (OS) is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin. The study also reveals that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Microsoft Windows based servers have fallen consistently for the last ten months."
To read the rest, you have to buy the report, but ...
You can see more in the article below, from last year:
Linux is favourite hacker target: Study
By JACK KAPICA Globe and Mail Update
Friday, Sep. 12, 2003
Linux, not Microsoft Windows, remains the most-attacked operating system, a British security company reports.
During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers, according to the report.
Just 360 - less than 2 per cent - of BSD Unix servers were successfully breached in August.
The data comes from the London-based mi2g Intelligence Unit, which has been collecting data on overt digital attacks since 1995 and verifying them. Its database has tracked more than 280,000 overt digital attacks and 7,900 hacker groups.
Linux remained the most attacked operating system on-line during the past year, with 51 per cent of all successful overt digital attacks.
Microsoft Windows servers belonging to governments, however, were the most attacked (51.4 per cent) followed by Linux (14.3 per cent) in August.
The economic damage from the attacks, in lost productivity and recovery costs, fell below average in August, to $707-million (U.S.).
The overall economic damage in August from overt and covert attacks as well as viruses and worms stood at an all-time high of $28.2-billion.
The Sobig and MSBlast malware that afflict Microsoft platforms contributed significantly to the record estimate.
"The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
"Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
"The May figures for manual and semi-automated hacking attacks - 18,847 - against online servers worldwide show signs of stabilisation in comparison to each of the three previous months. At present rates, the projected number of overt digital attacks carried out by hackers against online servers in 2004 will be only 2% up on the previous year and would stand at around 220,000. If this trend continues, it will mark the slowest growth rate for manual and semi-automated hacking attacks against online servers according to records that date back to 1995. This confirms that the dominant threat to the global digital eco-system is coming from malware as opposed to direct hacking attacks."
Again from Simon Lelieveldt's blog, we see some photos and explanation of a Candid ATM Camera and a duplicate card reader inserted on an ATM Housing, for snooping numbers.
Just to get a feel for this, it is worth clicking and waiting for the photos to download! Check the quality of the worksmanship for the hidden camera.
Ko Fujimura and Masayuki Terada have placed their "XML Voucher" into Internet Draft status.
The XML Voucher is the next closest thing to the Ricardian Contract that exists. It differs in many details, but the salient advantage of this form over the Ricardian Contract appears to be its use of XML.
The ID's purpose is to capture some of the details of a retailer's marketing offer, but it does not go so far as to present itself as a contract suitable for securities dealings.
For example, it does nothing towards the Ricardian Contract's rule of one contract . The voucher is a programmatic construct, rather than a readable document.
One thing should be noted: definitions and wider scope of their Voucher Trading System appear in RFC3506, and that document should probably be read first.
The BBC writes that "the FBI ... says piracy is now its third biggest priority behind terrorism and counter-intelligence." Weighing in to the fight against piracy, the BBC also includes a smorgasboard of links on how, when, where to download and copy, over on the right hand side.
FBI weighs into anti-piracy fight
CDs, DVDs, and video games in the US are to get an FBI seal in an attempt to deter people from copying them.
The new labels warn consumers that criminal copyright infringement could land them with a $250,000 (£133,000) fine and five years in prison.
They each carry the seal of the FBI, which says piracy is now its third biggest priority behind terrorism and counter-intelligence.
US entertainment firms says they are losing billions of dollars to piracy.
"The theft of copyrighted material has grown substantially and has had a detrimental impact on the US economy, said the assistant director of the FBI's cyber division, Jana Monroe.
The FBI said it was up to individual companies whether the label appeared on the packaging, or on screen.
The full warning reads: "The unauthorised reproduction or distribution of this copyrighted work is illegal.
"Criminal copyright infringement, including infringement without monetary gain, is investigated by the FBI and is punishable by up to five years in federal prison and a fine of $250,000."
The label has the backing of the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), and two groups representing the software industry, the Entertainment Software Association and the Software and Information Industry Association.
RIAA executive vice president Brad Buckles said: "As the seal attests, these are serious crimes with serious consequences - including federal prosecution - to making unauthorised copies or uploading music without permission, and consumers should be aware of them."
Last year the RIAA filed hundreds of lawsuits through the US courts against individuals it accused of swapping music online.
MPAA senior vice president Ken Jacobsen said the film industry was losing $3.5bn (£1.86bn) each year through piracy, before copying via the internet was taken into account.
"With hundreds of thousands of jobs at stake nationwide, piracy is a serious threat to the entire entertainment industry," he said.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/entertainment/music/3506301.stm
Published: 2004/02/20 12:14:07 GMT © BBC MMIV
Simon L mentions this article on debit card fraud. Curiously, no mention of Internet-related frauds, but a nice overview of the ways that ATMs get physically attacked.
The great shifts in currency politics go on - this polemic "Bretton Woods and the Forgotten Concept of International Seigniorage" is on the background of the USD since Bretton Woods, leading up to the recent Iraq invasion. Evidence seems to be mounting that one of the major factors (of three or four) was the importance of the oil-dollar trading book as a mainstay for USD reserves at world central banks.
Dix Sandbeck
In the summer of 1944, delegates from 44 allied nations met for the now famous economic conference at Bretton Woods, New Hampshire. Their mandate was to finalize plans for the post-war economic order and currency cooperation that had been circulating among the Allied nations.
Some of the results of this meeting are still familiar elements of the current structure for international economic co-operation: the International Monetary Fund - and the World Bank are cases in point.
Largely forgotten today is that the establishment of an international reserve currency had also been on the agenda at the time. Keynes, chairing the British delegation, proposed the establishment of a special reserve currency, provisionally named the "bancor." President Roosevelt had at first instructed the American delegation to support such an initiative.
Keynes envisaged the bancor as an international trade currency and unit of account. Its management and issue was to be in the hands of an another planned international organization, the International Clearing Union (ICU). The value of the bancor was to be determined by the value of the different national currencies in a trade weighted basket. Values of currencies would be fixed, but could be changed by mutual agreement.
A fundamental aim of Keynes' plan was to install a truly multilateral system. No nation would be allowed to dominate; nations in surplus or in deficit would be disciplined alike. Shortly before the conference however, the Americans rescinded their support for the bancor. Presumably, they felt that the bancor scheme, with its control in the hands of the ICU, was a shrewd strategy to rob the United States of its greatest spoil of victory: unfettered post-war dominance.
Instead, the Americans insisted on a system where the US dollar would be fixed to a gold value of $35 per ounce, though convertible only for central banks. All other currencies were to be aligned to this dollar-gold anchor. If adopted, this would confer on the US an unprecedented supremacy Even Britain, at the pinnacle of her power had not enjoyed such a position. But at Bretton Woods the exhausted European nations were eager for the continued flow of dollars to finance the war and the impending reconstruction. No nation was in a position to challenge the American volte-face.
In general, the dollar-gold link has been viewed as the key feature of the Bretton Woods system. In 1971, President Nixon "closed the gold window" by officially cancelling the right for all other central banks to convert any dollar holdings into gold. Many have considered this the year of Bretton Woods' demise. However, the dollar-gold link had always been an illusion elevating the dollar to the role of a global reserve currency. The true significance of Nixon?s decree in 1971 was simply to destroy that mirage.
The fixed exchange rates served a clear purpose in the immediate post-war period when stability was at a premium. After economic activity and trade had rebounded, the tendency of fixed exchange rates to magnify misalignments took over.
International Seigniorage
Seigniorage as a concept originated in medieval times. Monarchs used their monopoly in coining precious metals as a major source of revenue. Periodically an issue of gold or silver coins would be recalled, recoined with a lesser precious-metal content. The difference in value, between the face value and value of actual gold or silver content, was the seigniorage gain. When modern states expand their monetary base, they do so by sending more money into circulation, which pays for some of their expenditures. Since money is largely credit today, the seigniorage gain is almost equal to the face value.
Countries whose money functions as international reserve currencies, benefit from seigniorage, on an international scale. They can, as a nation, pay for imports with the seigniorage gain accruing from the expansion of international reserve holdings of their currency.
Ultimately, Bretton Woods allowed the US to reap international seigniorage by providing the world with much needed reserves. As a result, the US was able to impose many of its internal problems onto other nations. This key outcome of Bretton Woods continues to be an integral part of the global economic order.
By the late seventies, the oil crises had dramatically changed the terms of trade between the oil exporting nations and the rest of the world. Through forging a close political partnership with Saudi-Arabia, the leading oil exporter, the US ensured that oil would continue to be priced in dollars.
The oil exporting countries' collective surplus of petro-dollars was recycled back into the international financial system as liquidity, which was increasingly held in off-shore accounts as eurodollars. Although many of the developed nations experienced rising trade deficits, they had little problem in financing them by drawing on these pools of liquidity. The real losers were the developing nations that ran into exploding debt burdens.
Currently, international organizations with a role in providing development assistance to the Third World are almost entirely dependent upon contributions or paid-in quotas from richer nations. The bancor plan would have made the gain from international seigniorage partially or fully accessible for development assistance, instead of, as it is now, squandering it in support of the world richest nation and its over-consumption.
The Road to Baghdad
By the late nineties, US dollar holdings were estimated to account for approximately 65% of all held international reserves. The resultant dollar strength has allowed the US to sustain imbalances in the form of budget and trade deficits, that no other nations would be capable of (as was the case during the Reagan administration). The Clinton administration successfully turned the budget deficit around, but at the cost of a trade deficit that escalated uncontrollably.
The US economy has continuously reaped the benefits from the international economic system's inability to discipline it effectively. Because of this, American administrations have become accustomed to pandering to short term economic interests of key constituencies. Not surprisingly, these policies have resulted in such abysmal deficit levels, that had a developing nation applied for IMF support with such numbers, they would have been promptly rejected or at least placed under a harsh array of conditions. However, there is evidence that the days of smooth sailing are drawing to an end.
The first problem arises from the fact that dollars need to be invested in dollar denominated assets in order to earn a return. Consequently, when the world experiences a rising dollar overhang, it creates inflationary tendencies in the pricing of dollar assets. This was no doubt a major factor behind the stock market bubble of the '90s. The subsequent correction appears to have made international dollar holders wary of repeating the cycle.
Then there is the emergence of the euro as a full-fledged currency, presently used by 12 of the EU nations. This means that all trade and tourism spending between these nations has become internalized into euro transactions. Previously, the majority of these transactions were based on non-dollar pricing and reserve holdings.
As previously mentioned, a major component in maintaining the dollar's dominant position during the wake of the oil crises, was the Saudi's commitment to preserve the dollar as the currency in which oil was priced. This leads to the third, but potentially the most worrisome, cloud in the sky for the Americans. For a long time, the majority of nations seemed to have acquiesced to the oil-dollar relation, the linchpin of its dominance in recent decades. Nevertheless, signs have emerged during the last couple of years that this is no longer the case. A clear example can be observed in the actions of Chavez in Venezuela who started to counter-trade with some of his Latin American neighbors, thus cutting the dollar out of the loop.
But the real shocker for the Americans must have been when Saddam declared in November of 2000, that Iraq would commence pricing their export under the oil-for-food program in euros. American worries were compounded by subsequent rumours that both Libya and Iran were considering a similar currency shift.
This leads to the final question concerning the real reasons behind the American attack on Iraq. Did the Americans really have such faulty intelligence that they deemed Iraq to be an imminent threat to their security?
Of course not. However, by pricing Iraq's oil in euros, WMDs or not, Saddam engaged in an ultimate act of American defiance. What definitive role it played in galvanizing the American call to war, is hard to say. What is clear however, is that toppling Saddam's regime showed everybody the big stick, and more importantly took the impending euro pricing of oil off the table.
Dix Sandbeck
from Economic Reform, Sep. 2003
A story on the Mises Institute site has it that the regulators in the US are now worried about soft dollars, and are looking to close down on the practice.
The story makes some good points - such as soft dollars having been accepted for decades, and even condoned in the law. Now they are bad and unacceptable and must be stopped.
Soft dollars, by the way, are a fascinating internal currency used between insiders in wall street and other trading worlds. They are a self-issued currency, handed out as kickbacks by suppliers, and taken back in exchange for some other mild services. The classical path is for a pension to be paid soft dollars in exchange for passing a trade through a bank. Then, the pension purchases research from the bank, paying with soft dollars.
Whether that's a transfer pricing scheme, as some would have it, or an internal market currency, like our PSD, or a rort designed to rape the unprotected public, depends on many factors. What is clear is that they evolved through pressures in the market place, and probably have their place. But, like anything, they can be abused.
Instead of fixating on the tabloid libertarian rhetoric, it would have been more useful to speculate on why this is all going on. One clue - the ICI, deep in the midst of crisis from the mutual funds scandal - is asking for the bad stuff to be stopped. How convenient.
Today's GoldMoney Alert from James Turk postulates that OPEC oil sales are already priced in Euro terms.
It's based on correlations over three years...
Three data points is not enough to draw a conclusion, but it's a very interesting postulation. One would need to look at the quarterly or monthly figures to develop any confidence in the claim.
Mind you, it is to be expected. If OPEC started pricing in Euros, they would have maybe not announced it, given the sensitivities. There's nothing like allowing the aggressive dollar traders to discover the fait accompli.
Still, the real question, as James pointed out, is whether they are invoicing in Euros, or accepting payment in Euros without undue conversion penalty. If Oil is in the process of switching from dollar trading to Euro trading, or even a hybrid, this reduces the need for central banks to hold so much dollar reserve, thus releasing more dollars to go back home to the US of A.
Jeroen found this definition:
"Securities that are recorded in electronic records called book entries rather than as paper certificates."
and this one:
"a method of registering securities. There is no physical certificate. Ownership is solely reflected by an entry in the books of the issuer."
Which doesn't say much really. Still, it's their term and they get to define it. Question is, what do we call Ricardo, in contrast to "book entry securities."
In essence, Ricardo uses book entries. So do all systems of any sophistication, as book entries have gathered popularity since the 13th century invention of double entry book keeping.
Token money people - blinded bearer coins - were fond of pointing out that book entry was the problem. In a way, it was, but it wasn't that it was using books, but the inefficiencies brought in by its vague pencil & abacus approach to the whole situation. As the books were quite brief in their information, and as they were mostly updated manually, with frequent error corrections, the system can't really maintain any reliable accuracy.
RIcardo does book entry without the errors. All the information is there, and each entry only needs to be made once. Once made, it stays made. How hard is that?
However hard it was, it might not be as hard as creating a metaphor to show the difference between Ricardo and book entry securities!
Over on Simon's blog, he reports that PayPal is to be licensed as an eMoney issuer by the FSA in the United Kingdom.
Simon postulates that "This is a very remarkable moment, demonstrating that of all EU supervisors, the British FSA operates best. They did not hesitate to give licenses to Internet-based new entrants companies such as Moneybookers, Prepay Technologies and now Paypal."
The eMoney licence requirement was always seen as a barrier to entry, raised by the banks to protect themselves, and of no discernable benefit to any other party such as consumers. The eventual layout of the directive said "you don't have to be a bank, but you have to look and act like a bank, and have lots of money too..."
Hence, the EU practically guaranteed that eMoney would not arise in their patch, and people like PayPal would need to bring their bona fides in from the US, which requires no special permission to experiment with Internet money.
Similarly, DGCs have never taken as much root in Europe as they have in the North American and Australasia, mostly due to the regulation and innate conservatism of the people (a.k.a. lack of entrepreneurial spirit). I've seen several efforts to create exchange providers and adjunct branches of DGCs in European countries come adrift, and it all seems to come down to the same thing in the end: eventually the people concerned bump into, and pay attention to, the "not welcome here" sign hung up by the financial regulators.
It's almost as if the message is, "who are we to interfere with the colonialisation of Europe?"
I have rewritten/revised a paper on the Ricardian Contract, for WEC. It is meant to cover the foundations, design and results of same, in a fullsome, yet readable fashion.
Contact me if you are in a mood to review it! It's in the normal secret place, under the name of ricardian_contract with all the normal suffixes.
Here is a recent paper on the notion of programs only recovering and only recovering fast. That is, they never get shut down, only killed. They never start up "normally", only recover.
Ricardo has always done this, and in fact the accounts engine, LaMassana, makes a big play of this design principle as its secret weapon to achieve high reliability and high performance in not so many lines of code. The other components also do that, but aren't stateful, so are less interesting.
There is one area where Ricardo deviates from the paper - pre-emptive or algorithmic crash-rebooting. As we are doing transactions, we want to know the cause of every crash, and either fix it, or not mask it.
Referenced here in the FC-KB
Abstract:: "Crash-only programs crash safely and recover quickly. There is only one way to stop such software by crashing it and only one way to bring it up by initiating recovery. Crash-only systems are built from crash-only components, and the use of transparent component-level retries hides intra-system component crashes from end users. In this paper we advocate a crash-only design for Internet systems, showing that it can lead to more reliable, predictable code and faster, more effective recovery. We present ideas on how to build such crash-only Internet services, taking successful techniques to their logical extreme."
July, 2004, Stanford, California
This workshop is intended to foster collaborations between computer scientists who seek to enhance the security and privacy of sensitive data about people and organizations and domain experts in fields that need technological solutions to address customer concerns and to fulfill legal obligations. The goal is to formulate specific technical problems that are important to user communities that deal with large amounts of sensitive but are not satisfactorily solved by current
technology.
PORTIA Workshop on Sensitive Data in Medical, Financial, and Content-Distribution Systems
July 8-9, 2004
Frances C. Arrillaga Alumni Center, Stanford University, Stanford CA
A half-day will be spent on each of three domains:
1) Medicine, in which advances in computing and communication technology can enhance treatment and research but can also threaten patient privacy. This session will include an invited presentation by Dr. Daniel Masys, Director of Biomedical Informatics at the UCSD Medical School (http://medicine.ucsd.edu/faculty/masys/).
2) Financial services, in which vast amounts of transaction data are routinely stored and transmitted, but individuals and firms are deeply concerned about security and privacy, and complex legal requirements apply. This session will include an invited presentation by Dr. Daniel Schutzer, Vice President, Director of External Relations and Emerging Technologies in Information Security and Compliance at Citigroup.
3) Digital content distribution, in which rights holders and libraries seek distribution systems that simultaneously obey copyright law, respect user privacy, and permit legitimate user profiling, usage
monitoring, and data mining.
There will also be one half-day devoted to technological challenges common to all domains and user communities that deal with large amount of sensitive data. Activities will include invited presentations, contributed presentations, and break-out sessions.
Workshop Co-Chairs:
Joan Feigenbaum (Yale University)
Vitaly Shmatikov (SRI)
Vicky Weissman (Cornell University)
Important Dates:
May 1, 2004: Submissions due
May 1, 2004: Requests for travel support due
June 1, 2004: Accept/reject decisions sent
June 15, 2004: Final abstracts due
July 8-9, 2004: Workshop
Submission Instructions:
If you would like to speak at this workshop, please send a 1- to 2-page abstract of your proposed talk by May 1, 2004 to pw-org@csl.sri.com. If your submission is accepted, you will be expected to provide a final version of your abstract for posting on the workshop website by June 15, 2004. Links to complete papers may also be posted at the speakers' request but are not required.
Travel Support:
A modest amount of travel support is available. If you would like to attend this workshop but require travel support in order to do so, please contact pw-org@csl.sri.com by May 1, 2004.
This workshop is sponsored by the National Science Foundation's ITR program through the PORTIA project on sensitive data (http://crypto.stanford.edu/portia).
Goldmoney, a DGC with strong governance and strong growth, announced it had reached a metric tonne in mass of gold in accounts. That's about $13.2m worth, or about €10.3m at today's spot prices.
It also announced 10,000 customers in 100 countries.
Goldmoney's growth has been consistent at about 4 times per year for the last year. If it maintains this rate of growth, it will take over prime position from e-gold sometime around the middle of 2004, measured by mass of gold.
Other measures - primarily the number and size of transactions - are not reported byDGCs other than e-gold, the current market leader. The provision of detailed gold bar reports and statistics is necessitated by good governance practices, something that doesn't apply so clearly to transaction statistics.
A cert for a new CA, conveniently named CACert, is being proposed for addition to Mozilla, the big open source group pushing out a successful browser.
As CACert is not a commercial organisation, and doesn't sell its certs for any sort of real money, this has sparked quite a debate.
Mozilla Foundation has held firm to its non-commercial roots so far, by announcing and publishing a draft policy and faq that espouses no-cost CA Cert addition, and fairly perfunctory checks.
The groundswell for reworking browser approach to the crypto security layer is growing. In 2003, I pressed the debate forward with a series of rants attacking the SSL/HTTPS (in)security design.
I suggest the way is now open for cryptographers to adopt economic cryptography, rather than the no-risk cryptography approach used and since discredited in SSL.
In the specific case of SSL/HTTPS, we recommend moving to:
Copying the successful economic cryptography model of SSH would definitely lift the ugly duckling SSL crypto system up out of the doldrums (1st in above rants page, "How effective is open source crypto?" discusses the woeful statistics for SSL certificate usage).
News reports from a couple of weeks back indicate that a worm called Dumaru-Y installs a keylogger that listens for e-gold password and account numbers.
ZDNet .. VNUNet .. TechTarget
This is significant in that this might be the first time that viruses are specifically targetting the DGCs with an attack on the user's dynamic activity. (MiMail just recently targeted both e-gold and Paypal users with more conventional spoofs.)
e-gold is a special favourite with scammers and thieves for three reasons: its payments are RTGS, there is a deep market in independent exchange, and e-gold won't provide much help unless with a court order. Also, it is by volume of transactions by far the largest, which provides cover for theft.
This has been thought about for a long time. In fact, one issuer of gold, eBullion, has had a hardware password token in place for a long time. Others like Pecunix have tried to set up a subsetting password approach, where only a portion of the password is revealed every time.
European banks delivered hardware tokens routinely to thwart such threats. This may have been prudent, but it also saddled these systems with excessive costs; the price of the eBullion crypto token was thought to be too high for most users.
Using viruses is a new tactic, but not an unexpected one. As with all wars, look for an escalation of tactics, and commensurate and matching improvements in security.
Zooko O'Whielacronx wrote:
"Your paper about mutual funds, which I've only begun to look at, reminds me of an attack on a "stock market implementation in E." In my own opinion, my crack was trumped by Ralph Hartley's generalization ."
Ralph Hartley's generalization (read here) is spot on, with the caveat that the attacks apply equally to any stock exchange, rather than Mark Miller's demonstration stock exchange in particular. That's because these attacks are based on the coordination problem, and the timing aspects of stock trading dynamics. In that sense, they perfectly mirror some of the attacks that are going on in the mutual fund world today.
In the testimony/paper of a few weeks back, we said that RTGS solves these problems, although that's a generalism, and depends on the assumptions. The really important point is that the shorter the timeframe for the trade settlement, the shorter the opportunity for abuse; and the financial cryptographers in the above links came to the same conclusion.
Which makes it all the more poignant that the trading world managed to get to T+3 settlement, and stopped there. Desire to move to T+1 (we are talking one day here, not minutes or seconds) is non-existent, and opportunity for fraud remains as present as it ever was - given that most of the frauds of the mutual funds industry occurred within a one day timeframe.
FC 2004 starts this monday in Key West, Florida, USA. If you're not heading there by now, you're ... probably not going to make it!
http://fc04.ifca.ai/schedule.htm
http://www.federalreserve.gov/boarddocs/press/other/2004/20040130/default.htm
How to clean up the rock? New York clerks call the unreconciled difference between the custodians and DTC _the rock_ perhaps reflecting its size, but almost certainly also reflecting its resistence to resolution.
One way to deal with the rock is to write it off. Another way is to hide it or transfer it around like musical chairs, preferably in something like the book roll, that which gets rolled over every night to the next day's trading.
Up until recently, the rock's existence was a widely known secret amongst clerks, and the preferred way of dealing with it seemed to be to pretend the rock didn't exist. As a negative proof of the ostrich-like behaviour of the 'street, do a google on "rock unreconciled account" ... not a peep.
Unfortunately, when the WTC buildings were reduced to rubble, so did a lot of processing of security trades. As all the systems stopped for about 3 days, this opened up the unusual event of a systemic restart of the entire trading system.
Which meant that all traders had to declare the full and proper balance sheet - including the rock. As the total restart mean that there was no book roll, it was impossible to hide any more.
How big was it? Nobody's saying publically, but there are a smattering of banks and other intermediaries that are now for sale with books and claims that reveal the rock - curiously, attributed to 911 directly. Apparently it was big enough to ask for another restart, this time of the shareholders.
Which brings us to the Federal Reserve's rather odd intervention in the market for clearance and settlement - referenced above. Rumour has it that that Fed was a little surprised at the size of the rock, and has been moving to resolve it. Now, under the cover of a bunch of media sound bites, they have brought all the players together to start a new settlement system.
Call it a dormant bank, call it a third option, call it a challenge to DTC. Call it what you will, but players will be asked to walk in with clean books - this is a singularity, a once-off event that will permit the industry to divide itself between the rocked and the rolled.
http://www.federalreserve.gov/boarddocs/press/other/2004/20040130/default.htm
Payments Systems and Security
18/19th June 2004
Enhyper are proud to announce a conference with a difference,Payments Systems and Security, to be held at The Innholders Hall, London, on 18/19th Jun 2004.
At PaySec2004 we've brought together payments systems developers, security architects, operational risk practitioners and academics to address all aspects of technology, security and operation in the payment systems domain, both present and future state.
The best of the Internet versus the best of the City. Short key technical demonstrations will be interspersed to bring context to the challenges and the solutions. Rump sessions will allow you to contribute your experiences for the benefit of others.
Headline Topics
* Payment Transformations and integration
* Settlement to T+0 and RTGS
* Programmatic electronic contract negotiation
* Systems Performance Monitoring: Service Level Compliance
* Extensible Electronic Currency Frameworks
* SSL/SSH based infrastructure to enhance federated security
* Payment Systems as Critical National Infrastructure
* Automated System Risk Audits for Operational Risk Compliance
* Strategies for Defending against Infrastructure Attacks
* Reusable Security Architecture via pre-risk assessed patterns
Speakers
Geoff Chick, Product Director, Century 24 Solutions
Integration Objects
Dr Iain Saville, Head of Business Process Reform, Lloyds
Kinnect - Taking Contracts Digital
Ian Grigg, Principal Architect, Systemics
Integrating Business into the Payments System
Dr Alistair Dunlop, Director of the Open Middleware
Infrastructure Institute, University of Southampton
Grid Computing based Web Services
Paul Guthrie, Principal/CTO, Payment Software Corporation
Micropayments and E-Cash, Then and Now
Dr Simon Lelieveldt, Lelieveldt Consultancy
Security Profiles in Pre-paid payments
Frank Trotter, CEO, Everbank
Blazing the Internet Bank Trail
Graeme Burnett, Enhyper
Future State Security Architecture
James Turk, Managing Director, Goldmoney
Internet Gold - the new Governance
John Walker, Managing Director, NDS UK Ltd
Unto the breach: breaking the hardware and cryptography
of smart card chips.
(Some additional speaker slots are reserved.)
Details
Conference site is at http://www.enhyper.com/paysec/
Location: London, 18/19th Jun 2004. Venue details on site.
Cost: £1500 which includes all catering and all refreshments.
Advance Registration is at
http://www.enhyper.com/paysec/registration.html
Please note that this is not a sales conference.
Speakers are not selling their product to attendees.